I travel frequently for business — to industry conferences such as RSA Conference and Black Hat and meeting with clients. Whenever I travel, I bring my work laptop, my personal cellphone enabled with work email and calendar, and, of course, all my personal data that follows me everywhere I go — my digital identity. Millions of people travel for business every year, potentially putting their personal information and their employer’s sensitive data at risk.
When you’re at the airport trying to send some work emails before boarding a long flight, you might not give a second thought to connecting to an unsecured Wi-Fi hot spot. Or when your cellphone battery is dying and you plug into a USB charging station, you might not consider who else may have been tampering with these “free” resources. I’ve been there myself. I know that open Wi-Fi is sometimes better than no Wi-Fi, which is why I always use a virtual private network (VPN) when logging on outside the corporate network.
Not everyone is so careful.
According to a new research report from Morning Consult on behalf of IBM Security, travelers frequently don’t consider the risks of activities like connecting to public Wi-Fi, charging their devices at public USB stations and logging into publicly accessible computers, such as a workstation in a hotel business center. What’s more concerning is that people engage in these risky behaviors while traveling for business at an even higher rate than when traveling for personal reasons.
Travel and Transportation Industry Under Threat
The Morning Consult and IBM Security travel cybersecurity study found that the potential for your privacy and security being breached when traveling is perhaps more common than you think: More than 1 in 7 travelers in the survey said they had their personal information stolen at least once while traveling. That’s pretty shocking. Then again, it’s no surprise that travelers are at a high risk of data loss when you consider that the travel and transportation industry has come under increasing threat in the past couple of years.
The incident involving the Starwood guest reservation database owned by Marriott International was one of the biggest data breaches ever, affecting up to 500 million customers. But cybercriminals aren’t stopping there. According to IBM X-Force Incident Response and Intelligence Services (IRIS) analysis of attacks attempted against our customers, the travel and transportation industry was the No. 2 target of cyberattacks in 2018, behind only the financial services industry. The threats are increasing too; travel and transportation was only the tenth most targeted industry in 2017.
Why the big uptick in attacks on organizations in the travel and transportation industry? These companies have a gold mine of information about their customers that cybercriminals can exploit for numerous illicit money-making schemes. If a cybercriminal can access your personally identifiable information (PII) and payment card information, he or she may be able to commit fraud before your bank can detect it. But if the cybercriminal steals passport numbers and credentials for travel loyalty and rewards accounts, that information can be sold on the dark web for thousands of dollars. In some cases, cybercriminals target high-profile individuals with social engineering using information gleaned from their personal data, such as their religion, ethnicity, country, travel history and more, or infer business activity by looking at destinations to certain locations.
Risky Business Travelers
Despite the seriousness of the threat, the travel cybersecurity study found some pretty relaxed behaviors that could put information at risk. Consider that, although 38 percent of respondents said they put a great deal or extreme amount of effort into protecting their information when traveling, the huge majority of travelers admitted to engaging in risky behaviors like connecting automatically to Wi-Fi networks. And, as I mentioned above, people engage in the riskiest behaviors even more when they are on the road for business:
- Eighty-four percent of business travelers versus 76 percent of personal travelers connect to public Wi-Fi networks. Just 13 percent of business travelers said they never connect to public Wi-Fi.
- Seventy-nine percent of business travelers versus 63 percent of personal travelers charge devices using public USB ports and charging stations.
- Sixty-four percent of business travelers versus 47 percent of personal travelers log in to an account on a publicly accessible computer such as a hotel business center.
- Sixty percent of business travelers versus 46 percent of personal travelers discard their travel itineraries or paper documents, such as boarding passes and hotel receipts, without shredding them.
Can you tell the difference between a good USB stick and a bad one? A plugged-in “USB Killer” can destroy devices from laptops to control systems with power surges from disguised capacitors.
Travelers seem to take the risks to their financial information seriously, with 53 percent of respondents to the survey saying that they are concerned their credit card or other sensitive digital information will get stolen when traveling. Only 31 percent said that they are concerned this information will be stolen at home. So, you might ask, why aren’t they doing more to protect that information?
We see this disconnect in security all the time. People say they are concerned about cyberthreats and data breaches, but they don’t do basic things like keep their devices updated with security patches, use strong passwords and password managers, and limit information sharing on public websites and social media. I think it comes down to a simple equation: People think the personal cost of a little less convenience outweighs the potential cost of a security breach.
Business Leaders a Big Target
Everyone needs to practice good security hygiene, but some targets are much more attractive to cyber adversaries, and extra precautions should be taken. Senior executives, especially CEOs and other members of the C-suite, are the cream of the crop. According to a recent research report, C-level executives were 12 times more likely to be targeted in 2018 than they were the year before.
There have been some major attacks in recent years that targeted senior executives who were traveling. One such attack, known as Darkhotel, compromised hotel Wi-Fi networks for highly targeted attacks on VIP guests at hotels across Asia. Alarmingly, the attacks used social engineering tricks to get targets to download malware from fake Wi-Fi login pages before they could engage a VPN.
Even less sophisticated attackers could use simple tools like Wi-Fi Pineapples to intercept signals from a target’s device as it searches for a known network. Once the cybercriminal knows the names of networks a target has connected to previously, he or she can set up a network that spoofs one of those networks or gather intelligence on the target’s travel behavior, such as where an executive spends vacation or the names of networks where he or she works.
This kind of intelligence is valuable to attackers, and it’s easy to find even more information on a target by searching for identities on the dark web or public-facing websites. It’s unbelievable how much leaked data you can find on the web. Cybercriminals will just dump huge troves of stolen data on sites like Pastebin for anyone to find — everything from names and email addresses to passport numbers and even travel itineraries for upcoming trips. With this information, an adversary can create spear phishing or social engineering attacks, such as communications claiming to come from a hotel or airline.
Tips to Stay Cyber-Secure
Here are some simple security tips to stay safe when you’re on the road. Sticking to these habits may sometimes be inconvenient, but the security of your personal and business information is worth it.
- Be careful where you connect. Avoid using public Wi-Fi if you can, but if you have to use public Wi-Fi, make sure you know what network you’re connecting to. If there’s a login page, make sure the URL is legitimate and the password you use is what the hotel, café or airline provides. Set your devices to require authorization before connecting to Wi-Fi. Always use a VPN, which encrypts your web traffic and communications so spies can’t see your messages or what sites you’re connecting to.
- Bring a backup battery. USB devices like thumb drives and even power strips can be rigged with malicious code. Avoid plugging your device into anything — or plugging anything into your device — that you’re unsure about. Bring a backup battery and your own charging brick.
- Monitor loyalty rewards accounts. Do a security health check on your travel rewards accounts. Watch for suspicious activity and protect those accounts with strong passwords (I recommend an easy-to-remember but hard-to-guess passphrase of 16 characters or more). Use two-factor authentication (2FA) wherever possible.
- Shred your tickets. Your tickets, boarding passes, luggage tags and hotel receipts may seem useless after a trip, but savvy criminals can gather a lot of information about your loyalty rewards program from them. Hang onto them until you can shred them.
- Clean up your tracks. Avoid using shared public computers for things like accessing sensitive work apps, email and banking. If it’s absolutely necessary, make sure to log out of private accounts when finished.
- Pay with credit. Cybercriminals can rig point-of-sale devices and even ATMs with skimmers. Don’t use debit cards at point-of-sale — instead, use a travel credit card. If you use an ATM, select one inside a bank branch where it’s less likely to have been tampered with.
- Don’t give away your location. You don’t want potential adversaries to know when you’re not home or where you’ll be. Don’t post your whereabouts on public social media accounts. Even if you don’t think you’re giving away your location by naming where you are or where you’re going, your devices may give you away by tagging your location in photos. Turn off location sharing on your phone if you don’t really need it.
Download the travel cybersecurity study
Caleb Barlow is an accomplished security professional and former Vice President at IBM Security, where he led IBM's Threat Intelligence and Incident Response...